You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@thrift.apache.org by "Nick Gavalas (Jira)" <ji...@apache.org> on 2023/05/12 15:04:00 UTC

[jira] [Commented] (THRIFT-5710) NodeJS header transport leaks headers between all instances

    [ https://issues.apache.org/jira/browse/THRIFT-5710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17722204#comment-17722204 ] 

Nick Gavalas commented on THRIFT-5710:
--------------------------------------

I put up [https://github.com/apache/thrift/pull/2805] as a proposed fix. Check out the test cases for an idea of how bad this one is.

> NodeJS header transport leaks headers between all instances
> -----------------------------------------------------------
>
>                 Key: THRIFT-5710
>                 URL: https://issues.apache.org/jira/browse/THRIFT-5710
>             Project: Thrift
>          Issue Type: Bug
>          Components: Node.js - Library
>    Affects Versions: 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0
>         Environment: This repros in all environments using the nodejs library.
>            Reporter: Nick Gavalas
>            Priority: Critical
>              Labels: bug, headers, vulnerability
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> The header transport in `nodejs` has `TBufferTransport` and `TFramedTransport` improper extending the `THeaderTransport` prototype. The intention was to use `THeaderTransport` as an abstract base class and have concrete implementations in the other transports. In reality, every instance of `TBufferTransport` and `TFramedTransport` actually share a single instance of `THeaderTransport` being used as the prototype, which means that they all share one object that stores headers that every instance simultaneously mutates.
>  
> This leaks headers on both the read and the write paths: 
>  * You can write incorrect headers to a transport that has written headers but hasn't flushed yet. This is especially troubling if the headers are used for auth, because you're able to mix up requests and auth as the wrong entity. (i.e., if two requests set an `Auth` header).
>  * You can read headers from other requests. They only clobber each other if they have the same name, but the union of all seen headers is returned in {{getReadHeaders.}}
>  
> The fix is straightforward but urgent: the header functionality is completely broken and a security risk to use in production.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)